It's time to nuke password security questions

I'll come right out and say it - password security questions are not only insecure, they're a blatant security hole. They're worse than not being there at all, and for any of a number of reasons.

First, they're all the same. How many times have you been asked your mother's maiden name, the make or model of your first car, what city you were born in, or the name of your first pet? These answers, if given truthfully, are easy to find out. You've likely blogged the answer at some time in the past.

If I know your Uncle's last name, odds are I also know your mother's maiden name (50/50 shot there, and if I know he's your maternal uncle, I've got it).

At this point, these security questions are no better than a second, easy-to-guess password. And in cases where they're used to recover a password, they become more of a risk than anything else.

The only thing to do here if these questions are mandated is to make up a unique and incorrect answer. Yet another password. Yet another password to remember, and many password managers don't realize that these question fields are password fields to store and protect.

The immediate solution is two-factor authentication. When you log in to a site, the site sends you a one-time code to your phone and you must enter that number. The password is simply to keep people from causing the code to be spammed to your phone and interrupting you while you're in the bathroom. Since everyone has a smart phone these days (a generalization I'm prepared to make), this requires someone who wishes to hack you to have access to your phone. Sure, if they get your phone they get everything, but they still need to know your password to cause the two-factor to fire. It's not perfect, but it's close.

The real solution is an un-replayable biometric solution. A fingerprint reader on every keyboard, implemented in such a way as to make storing and replaying of biometric data impossible. That's a tough nut and might also have to include physical two-party, but I suspect it would work.

If you want into a site, you don't need to give it a name or password. You simply place your finger on the scanner and then wait for your phone to give you the access code which you then type in. The code expires the moment it's used (or in 60 seconds if it is unused). Thus, storing the biometric data isn't really all that useful. And if the biometric data is somehow hashed with an expiring timestamp, storing it won't do much good after a few minutes anyway.

Either way, passwords are dead and password security questions are worse than dead.

About the author

Christopher Ambler is a Principal Architect at GoDaddy who writes sleek, performant, low-overhead Java and Scala code. In his copious spare time he can be found playing poker or listening to progressive music not in 4/4 time. He recently relocated to sunny California from Seattle.